General

  • Target

    7c1896ee_by_Libranalysis

  • Size

    742KB

  • Sample

    210506-3yc5x51cge

  • MD5

    7c1896eeb884021f4d74144ec78be2e8

  • SHA1

    b4fb3b31f69fc5b048eeb43ea6f8fd97f1fb8f7a

  • SHA256

    1ab3c31624f7aed4e2ec9feecee3cff24e8904709800508e13b6526369e02236

  • SHA512

    e90782dc8b8cbfa8f6052080c6daeaffccede01d57bb944a4d52b9a0fae5fe53009ba0dd4b8c5932ee09c808db38fba27bd7bc6d570d55936b49c7259bc4d935

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

    • Target

      7c1896ee_by_Libranalysis

    • Size

      742KB

    • MD5

      7c1896eeb884021f4d74144ec78be2e8

    • SHA1

      b4fb3b31f69fc5b048eeb43ea6f8fd97f1fb8f7a

    • SHA256

      1ab3c31624f7aed4e2ec9feecee3cff24e8904709800508e13b6526369e02236

    • SHA512

      e90782dc8b8cbfa8f6052080c6daeaffccede01d57bb944a4d52b9a0fae5fe53009ba0dd4b8c5932ee09c808db38fba27bd7bc6d570d55936b49c7259bc4d935

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Formbook Payload

    • Adds policy Run key to start application

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks